FuelPHP Forums

mantinia

Here are as title.

Is it possible?

Harro

Short answer: no.

Long answer: saving the session (which happens automatically) will always set a cookie. On a request, you can choose to pass the contents of the cookie in a GET or POST variable instead of using a cookie.

This mechanism is used for example when you use swf uploaders, that can't use a cookie...

mantinia

Oh... so sad. Despite PHP native session is supporting without cookie...

Thank you.

Harro

Can you point to documenation that shows how PHP native sessions work without a cookie?

Sessions are to maintain state in a stateless environment. That means that no matter how you look at it, you have to pass some sort of unique key (the session id) back and forth in every request and response.

If you want you can issue a feature request at https://github.com/fuel/core/issues, documenting your use case.

mantinia

http://www.php.net/manual/en/session.idpassing.php

Harro

As I wrote earlier, Fuel's session class has support for both GET and POST variables, so passing the session ID as a URL parameter (which is a GET variable) is not a problem at all.

mantinia

Oh, I'm so sorry, I'll try it.

Harro

With GET variables, it uses the cookie_name as configured in your session.php config file.

For example, if you are using Memcached as backend, the default cookie name is "fuelmid", so your request URL must look like http://example/org/something/else/here?fuelmid=[your-session-id]

Note that the session id in Fuel is a serialized array. You can fetch the current session id and construct the correct format like so:

$sessionid = serialize(array(Session::key()));

If you intend to use an encrypted session id (this is on by default), you need to decode it as well:

$sessionid = Crypt::encode($sessionid);

mantinia

I tried but it doesn't work ;-<

I use db session and use the default cookie_name 'fueldid'.

Session::key() returns native session_id (as in db table)

but cookie's fueldid is different.

Your code,

Crypt::encode(serialize(array(Session::key())));

returns same as cookie's fueldid (very long),

so I passed the session ID to GET/POST fueldid value.

But Session class may be neglect it,

it makes new session ID each page access.

mm...

I'm using 1.5.3.

And so

echo Config::get('session.db.cookie_name');

is working but

$cookie_name = Config::get('session.db.cookie_name');

doesn't work. why?

Harro

Odd, a get is a get... What do you mean with "doesn't work"? No return value? Error message?

mantinia

Sorry, my English is poor...

Does it works only GET value?

I have to use POST, and the fueldid pass the POST form as "hidden",

is it wrong?

and

$cookie_name = Config::get('session.db.cookie_name');

then $cookie_name has no value.

but "echo" appear the value. It's mystery...

Harro

when you use POST, you need to set the "post_cookie_name" configuration value.

The reason this doesn't use the cookie name is that often you want to use POST in combination with cookies (for example if you use certain file uploaders), and want to use a fieldname different from the cookie name.

See http://docs.fuelphp.com/classes/session/config.html

mantinia

I checked the function _get_cookie() in core/classes/session/driver.php.

So the function DOESN'T check the GET values.

I added the code as below,

if ($cookie === false)

{

$cookie = \Input::get($this->config['cookie_name'], false);

}

then works correctly. Perhaps this code is dangerous,

but I take this for the time being.

Harro

You are absolutely right, don't know where that went.

It's not that dangerous, first the have to guess (or steal) the session id hash, and once they have a valid one, get passed all security checks that are done server side (on IP and user agent for example).

But perhaps it's better to check alternative sources only if no cookie was found?

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.

Howdy, Stranger!

Categories

In this Discussion